Worm outbreak yields bumper crop of spam

By William Jackson

Sep 13, 2007

A 24-hour outbreak of the StormWorm in mid-August apparently was responsible for a 30 percent spike in spam two days later, according to an analysis of malicious activity on the Internet by MessageLabs.

Before the outbreak of worm activity Aug. 15, the typical dot-com domain received an average of 366 pieces of spam e-mail an hour, said Paul Wood, a senior security analyst at MessageLabs. Two days after the outbreak, it peaked at 491 an hour.

Spam activity typically goes up and down following outbreaks of worms that can infect networked computers with malicious code to make them spam servers. 'What changed in August was the amplitude of the spike,' Wood said. 'We're seeing larger volumes.'

That spike accounted for an overall 3 percent increase in spam in August reported by MessageLabs.

Most of the spam consisted of text-based stock fraud messages intended to pump up the price of a stock so it could be sold for a large profit by the bad guys. Neither the scam nor the worm behind the e-mails is new, but the burst of activity illustrates the effectiveness of a worm that has built up its presence during the past year after a disappointing launch.

Much of the spam associated with fraud, data theft and other illegal activity is sent by computers compromised by worms carrying malicious code and then organized into increasingly large and sophisticated bot nets. Analysts at WatchGuard Technologies said one of these worms, StormWorm, did not appear to be very successful in its initial release, but it has continued to infect more computers, and its bot client software has been repeatedly updated until it has become a virtual utility knife.

'We've had blended threats before, but these are becoming more and more complex,' one WatchGuard analyst said.

'The technology is more sophisticated,' Wood said. Computers sending out spam or other malicious code can change their IP addresses repeatedly, and many of the client bots contain databases of other compromised computers so that if a command-and-control server for a bot net is found and cut off, bots can notify each other of the new command-and-control channel, and the network can be restored 'literally, a self-healing bot net.

There are no firm figures for the number or size of bot nets StormWorm has seeded, but estimates place the number of compromised computers between 1.5 million and 1.8 million. This figure is not high compared with the numbers of infections carried out by mass-mailing worms earlier in the decade, but 'it's certainly the biggest we've seen in the last five years or so,' Wood added.